Bug 1470701 - Switching from Targeted to MLS shows "denied" AVCs after reboot [NEEDINFO]
Switching from Targeted to MLS shows "denied" AVCs after reboot
Status: MODIFIED
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.3
Unspecified Unspecified
low Severity low
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-13 09:38 EDT by Renaud Métrich
Modified: 2017-09-18 10:39 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-07-17 08:17:12 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
lvrabec: needinfo? (mmalik)


Attachments (Terms of Use)

  None (edit)
Description Renaud Métrich 2017-07-13 09:38:26 EDT
Description of problem:

After a fresh minimal installation of RHEL7.3 using the DVD, then updating to latest updates,
I followed strictly the documentation to switch from Targeted policy to MLS (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/mls.html).
After reboot, relabelling occurred but some "denied" AVCs are shown in the audit log.

Version-Release number of selected component (if applicable):

selinux-policy-3.13.1-102.el7_3.16.noarch
selinux-policy-mls-3.13.1-102.el7_3.16.noarch


How reproducible:

Always

Steps to Reproduce:
1. Install a VM using RHEL7.3 DVD
2. (Optional) Update
3. Have the journal be persistent:
    mkdir /var/log/journal
    systemctl restart systemd-journald.service
4. Follow the doc to switch to MLS

Actual results:

During relabelling, some contexts are invalid:

Jul 13 15:27:39 vm-mls kernel: SELinux:  Context unconfined_u:object_r:cert_t:s0 is not valid (left unmapped).
Jul 13 15:27:39 vm-mls kernel: SELinux:  Context unconfined_u:object_r:selinux_config_t:s0 is not valid (left unmapped
Jul 13 15:27:39 vm-mls kernel: SELinux:  Context unconfined_u:object_r:semanage_store_t:s0 is not valid (left unmapped
Jul 13 15:27:39 vm-mls kernel: SELinux:  Context unconfined_u:object_r:file_context_t:s0 is not valid (left unmapped).
Jul 13 15:27:39 vm-mls kernel: SELinux:  Context unconfined_u:object_r:system_conf_t:s0 is not valid (left unmapped).
Jul 13 15:27:39 vm-mls kernel: SELinux:  Context unconfined_u:object_r:bin_t:s0 is not valid (left unmapped).
Jul 13 15:27:39 vm-mls kernel: SELinux:  Context system_u:object_r:rhnsd_conf_t:s0 is not valid (left unmapped).
Jul 13 15:27:39 vm-mls kernel: SELinux:  Context unconfined_u:object_r:etc_t:s0 is not valid (left unmapped).
Jul 13 15:27:39 vm-mls kernel: SELinux:  Context unconfined_u:object_r:admin_home_t:s0 is not valid (left unmapped).
Jul 13 15:27:39 vm-mls kernel: SELinux:  Context unconfined_u:object_r:home_cert_t:s0 is not valid (left unmapped).
Jul 13 15:27:39 vm-mls kernel: SELinux:  Context system_u:object_r:rhsmcertd_var_lib_t:s0 is not valid (left unmapped)
Jul 13 15:27:39 vm-mls kernel: SELinux:  Context system_u:object_r:authconfig_var_lib_t:s0 is not valid (left unmapped
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context unconfined_u:object_r:init_var_lib_t:s0 is not valid (left unmapped).
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context unconfined_u:object_r:rhsmcertd_var_lib_t:s0 is not valid (left unmap
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context system_u:object_r:rhsmcertd_log_t:s0 is not valid (left unmapped).
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context unconfined_u:object_r:rpm_log_t:s0 is not valid (left unmapped).
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context unconfined_u:object_r:rhsmcertd_log_t:s0 is not valid (left unmapped)
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context unconfined_u:object_r:ldconfig_cache_t:s0 is not valid (left unmapped
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context unconfined_u:object_r:rpm_var_cache_t:s0 is not valid (left unmapped)
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context unconfined_u:object_r:mail_spool_t:s0 is not valid (left unmapped).
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context system_u:object_r:abrt_var_cache_t:s0 is not valid (left unmapped).
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context system_u:object_r:vlock_exec_t:s0 is not valid (left unmapped).
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context system_u:object_r:rhsmcertd_exec_t:s0 is not valid (left unmapped).
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context system_u:object_r:rhnsd_exec_t:s0 is not valid (left unmapped).
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context system_u:object_r:blkmapd_exec_t:s0 is not valid (left unmapped).
Jul 13 15:27:44 vm-mls kernel: SELinux:  Context system_u:object_r:authconfig_exec_t:s0 is not valid (left unmapped).
Jul 13 15:27:45 vm-mls kernel: SELinux:  Context unconfined_u:object_r:user_home_dir_t:s0 is not valid (left unmapped)
Jul 13 15:27:45 vm-mls kernel: SELinux:  Context unconfined_u:object_r:user_home_t:s0 is not valid (left unmapped).
Jul 13 15:27:45 vm-mls kernel: SELinux:  Context unconfined_u:object_r:boot_t:s0 is not valid (left unmapped).

After complete boot, "audit2why" reports errors:

# audit2why -a
type=AVC msg=audit(1499952452.636:83): avc:  denied  { open } for  pid=659 comm="audispd" path="/etc/ld.so.cache" dev="dm-0" ino=16885169 scontext=system_u:system_r:audisp_t:s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952452.636:84): avc:  denied  { getattr } for  pid=659 comm="audispd" path="/etc/ld.so.cache" dev="dm-0" ino=16885169 scontext=system_u:system_r:audisp_t:s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952452.651:85): avc:  denied  { open } for  pid=671 comm="auditctl" path="/etc/ld.so.cache" dev="dm-0" ino=16885169 scontext=system_u:system_r:auditctl_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952452.651:85): avc:  denied  { read } for  pid=671 comm="auditctl" name="ld.so.cache" dev="dm-0" ino=16885169 scontext=system_u:system_r:auditctl_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952453.432:89): avc:  denied  { read } for  pid=563 comm="lvm" name="gconv-modules.cache" dev="dm-0" ino=50337353 scontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952453.433:90): avc:  denied  { open } for  pid=563 comm="lvm" path="/usr/lib64/gconv/gconv-modules.cache" dev="dm-0" ino=50337353 scontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952453.433:91): avc:  denied  { getattr } for  pid=563 comm="lvm" path="/usr/lib64/gconv/gconv-modules.cache" dev="dm-0" ino=50337353 scontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952455.281:93): avc:  denied  { getattr } for  pid=513 comm="systemd-udevd" path="/usr/lib/modules/3.10.0-514.26.2.el7.x86_64/modules.dep.bin" dev="dm-0" ino=50702474 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=USER_AVC msg=audit(1499952465.825:96): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc:  denied  { reboot } for auid=n/a uid=0 gid=0 cmdline="systemctl --force reboot" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952465.809:95): avc:  denied  { setattr } for  pid=1197 comm="cpio" name="null" dev="tmpfs" ino=18286 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=USER_AVC msg=audit(1499952478.285:14): pid=654 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 msg='avc:  denied  { contains } for  spid=1 tpid=1 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=context  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=USER_AVC msg=audit(1499952478.285:15): pid=654 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 msg='avc:  denied  { contains } for  spid=1 tpid=651 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0-s15:c0.c1023 tclass=context  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952478.248:13): avc:  denied  { write } for  pid=653 comm="brandbot" name="os-release" dev="dm-0" ino=16777319 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952478.424:22): avc:  denied  { getopt } for  pid=672 comm="gssproxy" path="/run/gssproxy.sock" scontext=system_u:system_r:gssproxy_t:s0-s15:c0.c1023 tcontext=system_u:system_r:gssproxy_t:s15:c0.c1023 tclass=unix_stream_socket
	Was caused by:
()
#Constraint rule:

#	mlsconstrain unix_stream_socket { connect accept } ((l1 eq l2 -Fail-)  or (t1 == { system_dbusd_t inetd_t sssd_t virtd_t xserver_t } -Fail-)  and (h1 dom l2)  or (t1 == { init_t setrans_t } -Fail-)  and (t1 == virtd_t -Fail-)  and (l1 dom l2 -Fail-)  and (l1 domby h2)  or (t1 == { inetd_t initrc_t sssd_t virtd_t xdm_t } -Fail-)  and (h1 dom l2)  and (l1 domby l2)  or (t1 == { kernel_t cupsd_t system_dbusd_t init_t auditd_t audisp_t audisp_remote_t syslogd_t setrans_t } -Fail-) ); Constraint DENIED
mlsconstrain unix_stream_socket { read getattr listen accept getopt recv_msg } ((l1 dom l2 -Fail-)  or (t1 == { system_dbusd_t inetd_t sssd_t virtd_t xserver_t } -Fail-)  and (h1 dom l2)  or (t1 == { init_t setrans_t } -Fail-) ); Constraint DENIED
mlsconstrain unix_stream_socket { write setattr relabelfrom connect setopt shutdown } ((l1 eq l2 -Fail-)  or (t1 == virtd_t -Fail-)  and (l1 dom l2 -Fail-)  and (l1 domby h2)  or (t1 == { inetd_t initrc_t sssd_t virtd_t xdm_t } -Fail-)  and (h1 dom l2)  and (l1 domby l2)  or (t1 == { kernel_t cupsd_t system_dbusd_t init_t auditd_t audisp_t audisp_remote_t syslogd_t setrans_t } -Fail-)  or (t2 == { httpd_bool_t faillog_t anon_inodefs_t devtty_t kernel_t kvm_device_t null_device_t proc_numa_t ptmx_t security_t tmpfs_t tun_tap_device_t vhost_device_t zero_device_t crond_t cupsd_t cupsd_var_run_t system_dbusd_t system_dbusd_var_run_t initctl_t devlog_t syslogd_t syslogd_var_run_t setrans_t setrans_var_run_t sshd_t sssd_t sssd_var_lib_t sudo_db_t virt_log_t qemu_var_run_t xdm_t xserver_t } -Fail-) ); Constraint DENIED

#	Possible cause is the source level (s0-s15:c0.c1023) and target level (s15:c0.c1023) are different.

type=AVC msg=audit(1499952478.748:26): avc:  denied  { read } for  pid=684 comm="modprobe" path="/run/xtables.lock" dev="tmpfs" ino=14220 scontext=system_u:system_r:insmod_t:s0-s15:c0.c1023 tcontext=system_u:object_r:iptables_var_run_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952484.416:95): avc:  denied  { getattr } for  pid=1035 comm="sysctl" path="/proc/sys/fs/protected_hardlinks" dev="proc" ino=1323 scontext=system_u:system_r:tuned_t:s0-s15:c0.c1023 tcontext=system_u:object_r:proc_security_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952484.416:96): avc:  denied  { open } for  pid=1035 comm="sysctl" path="/proc/sys/fs/protected_hardlinks" dev="proc" ino=1323 scontext=system_u:system_r:tuned_t:s0-s15:c0.c1023 tcontext=system_u:object_r:proc_security_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952484.416:96): avc:  denied  { write } for  pid=1035 comm="sysctl" name="protected_hardlinks" dev="proc" ino=1323 scontext=system_u:system_r:tuned_t:s0-s15:c0.c1023 tcontext=system_u:object_r:proc_security_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952488.579:115): avc:  denied  { dyntransition } for  pid=1086 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0 tclass=process
	Was caused by:
	The boolean ssh_sysadm_login was set incorrectly. 
	Description:
	Allow ssh to sysadm login

	Allow access by executing:
	# setsebool -P ssh_sysadm_login 1
type=AVC msg=audit(1499952604.360:124): avc:  denied  { name_connect } for  pid=1173 comm="rhsmcertd-worke" dest=443 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
	Was caused by:
	The boolean nis_enabled was set incorrectly. 
	Description:
	Allow nis to enabled

	Allow access by executing:
	# setsebool -P nis_enabled 1
type=AVC msg=audit(1499952609.767:125): avc:  denied  { name_connect } for  pid=1175 comm="rhsmcertd-worke" dest=443 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
	Was caused by:
	The boolean nis_enabled was set incorrectly. 
	Description:
	Allow nis to enabled

	Allow access by executing:
	# setsebool -P nis_enabled 1
type=AVC msg=audit(1499952619.668:126): avc:  denied  { getattr } for  pid=1187 comm="virt-what" path="/usr/sbin/dmidecode" dev="dm-0" ino=233086 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:dmidecode_exec_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952619.668:127): avc:  denied  { execute } for  pid=1187 comm="virt-what" name="dmidecode" dev="dm-0" ino=233086 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:dmidecode_exec_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952619.668:128): avc:  denied  { read } for  pid=1187 comm="virt-what" name="dmidecode" dev="dm-0" ino=233086 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:dmidecode_exec_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952619.668:129): avc:  denied  { execute_no_trans } for  pid=1188 comm="virt-what" path="/usr/sbin/dmidecode" dev="dm-0" ino=233086 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:dmidecode_exec_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952619.668:129): avc:  denied  { open } for  pid=1188 comm="virt-what" path="/usr/sbin/dmidecode" dev="dm-0" ino=233086 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:dmidecode_exec_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952619.700:130): avc:  denied  { open } for  pid=1175 comm="rhsmcertd-worke" path="/var/lib/rpm/.dbenv.lock" dev="dm-0" ino=16777291 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952619.700:131): avc:  denied  { create } for  pid=1175 comm="rhsmcertd-worke" name="__db.001" scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952619.700:131): avc:  denied  { add_name } for  pid=1175 comm="rhsmcertd-worke" name="__db.001" scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952619.700:131): avc:  denied  { write } for  pid=1175 comm="rhsmcertd-worke" name="rpm" dev="dm-0" ino=16777290 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.
Comment 2 Lukas Vrabec 2017-07-17 08:17:12 EDT
Hi, 

Di you follow these instructions? Because if you switching to MLS you should do restorecon. 

Please try it again with following tutorial: 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/enabling-mls-in-selinux.html

If you have still some issues, feel free to re-open this BZ.
Comment 3 Renaud Métrich 2017-07-17 08:49:38 EDT
I followed the instructions. There is no restorecon command to issue, but the autorelabel.
As written, relabelling occurs during reboot but fails partially.
Comment 4 Lukas Vrabec 2017-07-17 09:39:48 EDT
Okay, 

Could you run fixfiles instead of autorelabel? 

# fixfiles -F onboot

Thanks.
Comment 5 Renaud Métrich 2017-07-17 11:26:48 EDT
This is what I did since I followed the RHEL7 guide.
From the relabelling traces, some invalid context issues appear (see the description).
Comment 6 ruckc@yahoo.com 2017-07-17 20:10:51 EDT
just ran into these today, when trying to test the MLS policies in RHEL 7, versus RHEL 6.  Seems like most of this should be caught before getting released.  Also catches me in kind of a bind, as it appears most of these appear because the scontext isn't getting set correctly.  I'd be tempted to write a module to address these, but allowing permissions to services properly typed is one thing, and improperly typed is quite another.
Comment 7 Lukas Vrabec 2017-09-18 10:38:51 EDT
I tried switch RHEL-7.4 and RHEL-7.3 systems to MLS using: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/mls.html

Systems are booting fine in Enforcing. 

MLS policy type is too strictly so some AVCs during boot are expected. I prefer close this and use local policy for fixing AVCS.

Note You need to log in before you can comment on or make changes to this bug.